The popular blogging platform has released a security update to mitigate a recently discovered critical zero-day flaw potentially impacting millions of WordPress websites.

Finland-based security researcher Jouko Pynnönen disclosed on Sunday that current versions (4.2 and earlier) of WordPress were vulnerable to a stored cross site scripting (XSS) bug, which allowed an unauthenticated attacker to inject JavaScript in WordPress comments and ultimately, control the server remotely.

“The script is triggered when the comment is viewed. If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.”

Furthermore, Pynnönen claims the flaw could give an attacker the capability to change the administrator’s password, as well as create new admin accounts.

In a short video, Pynnönen demonstrates how the attack can be carried out to gain access to a backdoor. A comment is posted with the malicious JavaScript code, followed by 66,000 characters – more than 64 kilobytes in size:

Although the majority of WordPress vulnerabilities reside within plug-ins, the critical vulnerability appears to be similar to one reported in 2014 by Cedric Van Bockhaven, which was patched 14 months after being reported. The flaw used invalid characters to truncate the comment, as opposed to the massive amounts of text.